Mandell Menkes Brings a Potentially Devastating Medical Data Breach to a Successful Conclusion

On March 7, 2012 the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued notice to Mandell Menkes that it had concluded its investigation of a security breach involving protected health information (PHI) maintained by Mandell Menkes’ client, and did not intend to take any further action. The letter marked the end of a series of events which were set in motion six months earlier when the OCR, acting on a third party complaint, found medical records of thousands of the client’s patients allegedly abandoned in the garage of a residential building. Mandell Menkes represented the client in every stage of the process, from forming its strategy and its initial response to the OCR to the successful conclusion of the investigation. During the process, Mandell Menkes worked with the client to revise its documents and procedures to prevent a similar situation from recurring in the future. 


The complaint arose from the clinic’s agreement with a recovery company specializing in the extraction of silver from x-ray film. The agreement provided that the recovery company would extract silver from certain archived x-ray film and dispose of the remaining material appropriately. In violation of the agreement, a recovery company employee removed numerous boxes of x-ray film and other PHI from the client’s premises and left the records in the garage of his rented residence. The employee’s landlord found the records and alerted OCR. The OCR immediately launched a large scale investigation of whether the client had violated, among other laws, the HIPAA Security, Privacy and Breach Notification rules.


Throughout the investigation, Mandell Menkes represented the clinic at meetings with OCR; coordinated the clinic’s efforts to successfully retrieve and secure the abandoned PHI; drafted HIPAA-compliant policies and procedures for the clinic related to PHI disclosures, safeguards, business associates, record disposal and workforce training; prepared and disseminated breach notifications to the affected patients, local media and Secretary of the U.S. Department of Health and Human Services and helped the client respond to public inquiries following breach notification. Based on these actions, OCR concluded its investigation without requiring a formal hearing or imposing any civil money penalties.